Treasury’s Annual FISMA Audit Results Released

The audit of unclassified systems found that Treasury programs and practices complied with FISMA’s five cybersecurity functions and eight program areas. However, the audit did find eight deficiencies for which KPMG offered 24 recommendations.

Treasury Bureau Deficiencies Identified by KPMG:

Cybersecurity Function: Identify

• Security Assessment and Authorization (SA&A) processes were not consistently completed at the U.S. Mint and the TIGTA.
• System Security Plans were not always updated in accordance with NIST and bureau information security policies at Bureau of Engraving and Printing and Office of the Comptroller of the Currency.
• Monitoring of information security controls for systems hosted by third parties was not consistently defined, documented, and implemented at departmental offices.
• Plans of Action and Milestones (POA&M) were not consistently created and tracked in accordance with department policy at U.S. Mint.
• Information system hardware and software inventory controls were not fully defined and consistently reviewed at U.S. Mint.

Cybersecurity Function: Protect

• Configuration security baselines were not always established, and vulnerability scanning was not consistently performed at TIGTA.
•  Account management policies were not consistently followed for authorizing, reviewing, recertifying, and removing user access at departmental offices, Bureau of the Fiscal Service, U.S. Mint, and TIGTA.

Cybersecurity Function: Recover

• Contingency planning controls were not consistently implemented at TIGTA.

KPMG’s 24 recommendations were directly related to each deficiency cited above.

Treasury management agreed with all the audit findings and recommendations, but also noted specific information security progress and achievements the department made in FY 2018, citing seven specific actions taken. These cybersecurity enhancements included upgrading existing Splunk architecture, finalizing upload of CDM data to the DHS dashboard, deploying six enterprise-wide integrations of Single Sign-On applications, and deployment of Apache Nifi Express for data processing.

TIGTA found that IRS systems “generally aligned with applicable FISMA requirements.” However, TIGTA pronounced that IRS’s security program “was not fully effective,” due to lack of full implementation of program components. TIGTA’s audit of IRS information security rated three cybersecurity functional areas (Identify, Respond and Recover) as “effective,” but rated the areas of Protect and Detect as “not effective.”

IRS Deficiencies Identified by TIGTA:

Cybersecurity Function: Protect

• Configuration Management rated at a maturity level of 2, meaning policies, procedures and strategy are formalized and documented but not consistently implemented.
• Identity and Access Management rated at a maturity level of 3, meaning policies, procedures and strategy are consistently implemented, but quantitative and qualitative effectiveness measures are lacking.
• Data Protection and Privacy rated at a maturity level of 2.

Cybersecurity Function: Detect

• Information Security Continuous Monitoring Metrics rated at level 3.

TIGTA does not include recommendations with its audit findings, however it cautions that “until IRS takes steps to improve its security program deficiencies and fully implement all security program components in compliance with FISMA requirements, taxpayer data will remain vulnerable to inappropriate and undetected use, modification or disclosure.”